Hi Filippo,
Opening a port(tcp) to the Internet is a prerequisite for a Server behind a NAT, which uses the port to talk with clients.
Connection types between clients can be UDP p2p, TCP p2p or relay mode. There is not needs to open any port for clients and it will not effect clients.
Clients try to use NAT-Traversal to penetrate firewall and create direct connections between clients. UDP p2p is the easiest way, TCP p2p is a little bit harder and relay mode works for any situations. Clients can also detect the network status if it's possible to create p2p in terms of your NAT type. If it fails to create p2p, it will go back to relay mode automatically.
Please refer to :
http://en.wikipedia.org/wiki/Network_address_translationIn your case, if you can make sure your routers do not set to "Symmetric NAT" or it IS "Symmetric NAT" but not very busy. You can use either UDP p2p or TCP p2p. The difference is UDP is fast but may lost packets or cause packets out of order sometimes. If your application over the VPN using a poor protocol (application level), UDP may cause it stop working. TCP p2p is stable but a little bit slow.
Thanks,
KevinZ - NeoRouter team